b"                               KPMG LLP\n                               2001 M Street, NW\n                               Washington, DC 20036-3389\n\n\n\n\n                                        Independent Auditors\xe2\x80\x99 Report\n\n\nThe Public Printer\nUnited States Government Printing Office:\n\nWe have audited the accompanying consolidated balance sheets of the United States Government Printing\nOffice (GPO) as of September 30, 2011 and 2010, and the related consolidated statements of revenues,\nexpenses, and changes in retained earnings and cash flows (hereinafter referred to as \xe2\x80\x9cconsolidated\nfinancial statements\xe2\x80\x9d) for the years then ended. The objective of our audits was to express an opinion on\nthe fair presentation of these consolidated financial statements. In connection with our fiscal year 2011\naudit, we also considered GPO\xe2\x80\x99s internal control over financial reporting and tested GPO\xe2\x80\x99s compliance\nwith certain provisions of applicable laws, regulations, and contracts that could have a direct and material\neffect on these consolidated financial statements.\n\nSummary\nAs stated in our opinion on the consolidated financial statements, we concluded that GPO\xe2\x80\x99s consolidated\nfinancial statements as of and for the years ended September 30, 2011 and 2010, are presented fairly, in all\nmaterial respects, in conformity with U.S. generally accepted accounting principles.\n\nOur consideration of internal control over financial reporting resulted in identifying certain deficiencies\nthat we consider to be significant deficiencies, as defined in the Internal Control over Financial Reporting\nsection of this report, as follows:\n\n    A.      Controls over Processing and Maintenance of Human Resource and Payroll Information\n    B.      Information Technology General and Application Controls\n\nWe did not identify any deficiencies in internal control over financial reporting that we consider to be\nmaterial weaknesses as defined in the Internal Control over Financial Reporting section of this report.\n\nThe results of our tests of compliance with certain provisions of laws, regulations, and contracts disclosed\nno instances of noncompliance or other matters that are required to be reported herein under Government\nAuditing Standards, issued by the Comptroller General of the United States.\n\nThe following sections discuss our opinion on GPO\xe2\x80\x99s consolidated financial statements; our consideration\nof GPO\xe2\x80\x99s internal control over financial reporting; our tests of GPO\xe2\x80\x99s compliance with certain provisions\nof applicable laws, regulations, and contracts; and management\xe2\x80\x99s and our responsibilities.\n\nOpinion on the Financial Statements\nWe have audited the accompanying consolidated balance sheets of the United States Government Printing\nOffice as of September 30, 2011 and 2010 and the related consolidated statements of revenues, expenses,\nand changes in retained earnings and cash flows for the years then ended.\n\n\n\n\n                               KPMG LLP is a Delaware limited liability partnership,\n                               the U.S. member firm of KPMG International Cooperative\n                               (\xe2\x80\x9cKPMG International\xe2\x80\x9d), a Swiss entity.\n\x0cIn our opinion, the consolidated financial statements referred to above present fairly, in all material\nrespects, the financial position of the United States Government Printing Office as of September 30, 2011\nand 2010, and the results of its operations and its cash flows for the years then ended, in conformity with\nU.S. generally accepted accounting principles.\n\nOur audits were conducted for the purpose of forming an opinion on the consolidated financial statements\ntaken as a whole. The information in the Management\xe2\x80\x99s Discussion and Analysis section is presented for\npurposes of additional analysis and is not required as part of the consolidated financial statements. This\ninformation has not been subjected to auditing procedures and, accordingly, we express no opinion on it.\n\nInternal Control over Financial Reporting\nA deficiency in internal control exists when the design or operation of a control does not allow\nmanagement or employees, in the normal course of performing their assigned functions, to prevent, or\ndetect and correct misstatements on a timely basis. A material weakness is a deficiency, or a combination\nof deficiencies, in internal control such that there is a reasonable possibility that a material misstatement of\nthe entity\xe2\x80\x99s financial statements will not be prevented, or detected and corrected on a timely basis.\n\nOur consideration of internal control over financial reporting was for the limited purpose described in the\nResponsibilities section of this report and was not designed to identify all deficiencies in internal control\nover financial reporting that might be deficiencies, significant deficiencies, or material weaknesses. In our\nfiscal year 2011 audit, we did not identify any deficiencies in internal control over financial reporting that\nwe consider to be material weaknesses, as defined above. However, we identified certain deficiencies in\ninternal control over financial reporting described in Exhibit I that we consider to be significant\ndeficiencies in internal control over financial reporting. A significant deficiency is a deficiency, or a\ncombination of deficiencies, in internal control that is less severe than a material weakness, yet important\nenough to merit attention by those charged with governance.\n\nExhibit II presents the status of prior year significant deficiencies.\n\nWe noted certain additional matters that we have reported to management of GPO in a separate letter.\n\nCompliance and Other Matters\nThe results of our tests of compliance as described in the Responsibilities section of this report disclosed\nno instances of noncompliance or other matters that are required to be reported herein under Government\nAuditing Standards.\n\n                                                  *******\n\nResponsibilities\nManagement\xe2\x80\x99s Responsibilities. Management is responsible for the consolidated financial statements;\nestablishing and maintaining effective internal control; and complying with laws, regulations, and contracts\napplicable to GPO.\n\nAuditors\xe2\x80\x99 Responsibilities. Our responsibility is to express an opinion on the fiscal year 2011 and 2010\nconsolidated financial statements of GPO based on our audits. We conducted our audits in accordance with\nauditing standards generally accepted in the United States of America; and the standards applicable to\nfinancial audits contained in Government Auditing Standards, issued by the Comptroller General of the\nUnited States. Those standards require that we plan and perform the audits to obtain reasonable assurance\nabout whether the consolidated financial statements are free of material misstatement. An audit includes\nconsideration of internal control over financial reporting as a basis for designing audit procedures that are\nappropriate in the circumstances, but not for the purpose of expressing an opinion on the effectiveness of\nGPO\xe2\x80\x99s internal control over financial reporting. Accordingly, we express no such opinion.\n\x0cAn audit also includes:\n\n\xe2\x80\xa2     Examining, on a test basis, evidence supporting the amounts and disclosures in the consolidated\n      financial statements;\n\xe2\x80\xa2     Assessing the accounting principles used and significant estimates made by management; and\n\xe2\x80\xa2     Evaluating the overall consolidated financial statement presentation.\nWe believe that our audits provide a reasonable basis for our opinion.\n\nIn planning and performing our fiscal year 2011 audit, we considered GPO\xe2\x80\x99s internal control over financial\nreporting by obtaining an understanding of GPO\xe2\x80\x99s internal control, determining whether internal controls\nhad been placed in operation, assessing control risk, and performing tests of controls as a basis for\ndesigning our auditing procedures for the purpose of expressing our opinion on the consolidated financial\nstatements, but not for the purpose of expressing an opinion on the effectiveness of GPO\xe2\x80\x99s internal control\nover financial reporting. Accordingly, we do not express an opinion on the effectiveness of GPO\xe2\x80\x99s internal\ncontrol over financial reporting.\n\nAs part of obtaining reasonable assurance about whether GPO\xe2\x80\x99s fiscal year 2011 consolidated financial\nstatements are free of material misstatement, we performed tests of GPO\xe2\x80\x99s compliance with certain\nprovisions of laws, regulations, and contracts, noncompliance with which could have a direct and material\neffect on the determination of the consolidated financial statement amounts. We limited our tests of\ncompliance to the provisions described in the preceding sentence, and we did not test compliance with all\nlaws, regulations, and contracts applicable to GPO. However, providing an opinion on compliance with\nlaws, regulations, and contracts was not an objective of our audit and, accordingly, we do not express such\nan opinion.\n\n                                   ______________________________\n\nGPO\xe2\x80\x99s responses to the findings identified in our audit are presented in Exhibit I. We did not audit GPO\xe2\x80\x99s\nresponses and, accordingly, we express no opinion on them.\n\nThis report is intended solely for the information and use of GPO\xe2\x80\x99s management, GPO\xe2\x80\x99s Office of\nInspector General, the U.S. Government Accountability Office, and the U.S. Congress and is not intended\nto be and should not be used by anyone other than these specified parties.\n\n\n\n\nDecember 16, 2011\n\x0c                                                                                      Exhibit I\n\n                          Fiscal Year 2011 Significant Deficiencies\n\n\n\nA. Controls over Processing and Maintenance of Human Resource and Payroll\n   Information\n\nWe noted the following areas where the United States Government Printing Office (GPO) needs\nto improve its internal controls over processing and maintenance of human resource and payroll\ninformation:\n\na. We noted that 35 of 120 employees tested during the year were nominated and approved\n   for a goal sharing payment. Of the 35, we noted 1 employee never received the goal\n   sharing award of $100 even though the employee was approved and included on the list\n   of approved awardees that was sent to the National Finance Center (NFC), GPO\xe2\x80\x99s\n   payroll/personnel service provider, for payments.\n\nb. We noted 24 of 120 balances tested where the annual leave balance recorded in Web Time &\n   Attendance (WebTA) did not agree to the annual leave balance recorded by the NFC, which\n   is reflected on the employee\xe2\x80\x99s Statement of Earning and Leave. WebTA is GPO\xe2\x80\x99s web-based\n   time and attendance program which employees use to enter and keep track of their hours\n   worked and leave used. GPO management detected and corrected the errors during the year\n   for 21 of the 24 exceptions. However, for the remaining 3 employees tested, 2 had balances\n   that were not detected or corrected by management as of September 30, 2011, resulting in an\n   incorrect leave balance recorded at year end, and 1 employee separated from the agency in\n   July 2010 with the incorrect leave balance.\n\nc. We noted for 2 of 72 personnel files reviewed that the GPO payment plan reflected on\n   the Standard Form (SF)-50, Notification of Personnel Action, did not agree to the GPO\n   payment plan reflected on the SF-52, Request/or Personnel Action, maintained in the\n   employee's personnel file. However, we noted that in each of these instances the\n   employee\xe2\x80\x99s rates of pay reflected on the SF-50 and SF-52 were in agreement with the\n   amount being processed by NFC for the pay period tested.\n\nd. Of the 120 WebTA sheets reviewed, we identified 8 instances where the WebTA sheet\n   was certified by a person not listed on the list of approved supervisors. Additionally, no\n   evidence was made available to verify that the individuals who certified the timesheets\n   had been delegated that authority by an approved supervisor or that the supervisor had\n   reviewed the timesheet in the following period for reasonableness.\n\nThe Government Accountability Office\xe2\x80\x99s (GAO) Standards for Internal Control in the Federal\nGovernment requires the following:\n\n\xe2\x80\xa2   Control activities are the policies, procedures, techniques, and mechanisms that enforce\n    management\xe2\x80\x99s directives, such as the process of adhering to requirements or budget\n    development and execution. They help ensure that actions are taken to address risks. Control\n    activities are an integral part of an entity\xe2\x80\x99s planning, implementing, reviewing, and\n    accountability for stewardship of government resources and achieving effective results.\n\x0c                                                                             Exhibit I (continued)\n\n                            Fiscal Year 2011 Significant Deficiencies\n\n\xe2\x80\xa2   Control activities occur at all levels and functions of the entity. They include a wide\n    range of diverse activities such as approvals, authorizations, verifications,\n    reconciliations, performance reviews, maintenance of security, and the creation and\n    maintenance of related records which provide evidence of execution of these\n    activities as well as appropriate documentation. Control activities may be applied in a\n    computerized information system environment or through manual processes.\n\n\xe2\x80\xa2   Transactions should be promptly recorded to maintain their relevance and value to\n    management in controlling operations and making decisions. This applies to the entire\n    process or life cycle of a transaction or event from the initiation and authorization through its\n    final classification in summary records. In addition, control activities help to ensure that all\n    transactions are completely and accurately recorded.\n\nThe causes of the conditions above were deficiencies in the operating effectiveness of internal\ncontrols to ensure all information processed is properly reviewed for accuracy and\nreasonableness.\n\nRecommendations:\n\nWe recommend that GPO strengthen its controls over the processing and maintenance of human\nresource and payroll information as follows:\n1. Perform a review of all information uploaded to NFC to verify that the upload was successful\n   and accurate.\n\n2. Develop and implement Standard Operating Procedures detailing how to correctly enter leave\n   adjustments in the WebTA system and the NFC mainframe.\n\n3. Develop and implement policies and procedures for payroll personnel to reconcile annual\n   leave balances per WebTA to NFC to ensure that leave hours are properly accrued and that\n   the annual leave balance is correct at the end of each pay period.\n\n4. Improve communication with NFC to ensure that: a) the GPO payment plan information\n   reflected on the SF\xc2\xb750's maintained in employee personnel files are accurate; and b)\n   employee pay plans provided to NFC agrees with employee actions and their personnel\n   file.\n\n5. Develop and implement policies and procedures over the maintenance of authorized and\n   approved Web Time & Attendance certifiers. Policies and procedures should be\n   established to prevent inappropriate delegations of certifying authority. In addition, all\n   approved delegates should be properly trained and able to determine the reasonableness\n   of hours and/or expenses which they are certifying.\n\nManagement Response:\n\nManagement concurs with these recommendations and has already worked to implement a\ncorrective action plan.\n\x0c                                                                            Exhibit I (continued)\n\n                            Fiscal Year 2011 Significant Deficiencies\n\nB. Information Technology General and Application Controls\n\nDuring fiscal year 2011, deficiencies in the design and/or operations of GPO\xe2\x80\x99s information\ntechnology (IT) general and application controls were noted in the areas of Security Management,\nAccess Controls, Segregation of Duties, Configuration Management, and Contingency Planning.\nThese conditions were generally due to resource constraints and competing priorities at GPO.\nThe details of these conditions, several of which have been reported to management in prior\nyears\xe2\x80\x99 audit reports, are as follows:\n\n1. Security Management\nGPO made progress in fiscal year 2011 to formalize its established information security\nobjectives and high level policy. However, we noted that although GPO had previously\ncompleted the security assessment and authorization process for both the GPO Business\nInformation System (GBIS) and the GPO General Support System (GSS), GBIS operated without\na current security authorization since May 2010 when the Interim Authorization to Operate\n(IATO) for GBIS expired. Also, the following exceptions were observed during our test work:\n\n    i.   For both GSS and GBIS, System Security Plans and Risk Assessment Reports did not\n         include IT security controls that were equivalent to the high impact control baseline from\n         the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-\n         53, Recommended Security Controls for Federal Information Systems and Organizations.\n\n    ii. For GBIS and the GSS, security assessment testing did not include a population of IT\n        security controls equivalent to the high impact control baseline from NIST SP 800-53.\n\nOperating an application in production without a current security authorization increases the risk\nthat since the previous security assessment and authorization, the current state of the system, its\ncontrols or the environment it operates in will have changed to the point that the system security\nplan no longer describes the system\xe2\x80\x99s current controls or plans necessary controls, and the\nsecurity assessment no longer considers the full range of significant risks to which the system is\nsubject.\n\nIncomplete system security plans may lead to incomplete security assessment testing that does\nnot include all necessary IT security controls and does not document test procedures and results\nfor all necessary IT security controls. Not performing security assessment testing of all necessary\nIT security controls, increases the risk that control gaps or weaknesses will not be detected and\ncorrected or be mitigated with compensating controls. This may lead to necessary controls not\nbeing included in system security plans. The resulting control gaps may subject data and\nresources to unauthorized use, loss, or disclosure.\n\nAdditionally, not documenting system security plans in detail sufficient to plan IT controls that\nare identical or equivalent to the applicable NIST SP 800-53 baseline controls may lead to gaps in\nsystem security planning, and more specifically, may lead to the GPO not planning and\nimplementing IT security controls that are equivalent or identical to those recommended by NIST\nSP 800-53.\n\x0c                                                                           Exhibit I (continued)\n\n                           Fiscal Year 2011 Significant Deficiencies\n\n2. Access Controls\n\n Overall, access controls at GPO continue to require strengthening in order to provide a more\nsecure financial processing and computing environment. GPO management made progress in\naddressing the access control deficiencies noted in prior years. However, we noted the following\naccess controls deficiencies that need improvement:\na. User access was not consistently removed after users left GPO or changed job duties:\n\n       i.   Of a sample selection of 15 separated GPO personnel, 3 retained access to GPO\xe2\x80\x99s\n            Active Directory network.\n\nb. Periodic reviews of user access were not consistently documented:\n\n       i.   The GPO Finance Office lacks documented evidence of a monthly GBIS user access\n            review and recertification. On a monthly basis, IT Security sent user access lists to\n            the Finance Office for review. However, the Finance Office did not retain evidence\n            of its reviews.\n\n      ii.   There is no process in place to document a periodic review of GPO GSS users.\n\nc. Audit logs at the application level for GBIS are not reviewed.\n\nAccess controls should provide reasonable assurance that computer resources (data files,\napplication programs, and computer-related facilities and equipment) are protected against\nunauthorized access, modification, disclosure, loss, or impairment. Not timely removing\naccounts for separated users increases the risk that unauthorized users will gain access to\ninformation systems.\n\nNot consistently documenting periodic reviews of user access increases the risk that users who no\nlonger require access will retain access.\n\nWith no audit log reviews done at the application level for GBIS, events within the application\nthat may represent attempts to gain unauthorized access or otherwise circumvent controls may not\nbe detected and responded to.\n\n3. Segregation of Duties\n\nEffective segregation of duties starts with effective entity-wide policies and procedures that are\nimplemented at the system and application levels. Although Finance Office segregation of duties\nprocedures document conflicting activities within GBIS, the procedures are not sufficiently\ndetailed to identify which roles within GBIS are considered to be conflicting. Not identifying\nconflicting roles within GBIS may lead to GBIS users having conflicting access to this key\nfinancial system, which could result in a user having end-to-end control over a transaction such\nthat they could both initiate and approve an erroneous transaction.\n\n4. Configuration Management\n\nGPO does not centrally manage the security patching of Microsoft Windows desktops and\nlaptops. Desktop and laptop computers without current security patches may not be properly\n\x0c                                                                           Exhibit I (continued)\n\n                           Fiscal Year 2011 Significant Deficiencies\n\nsafeguarded from security vulnerabilities. As a result, vulnerabilities may be exploited and data\nand resources may be subject to unauthorized use, loss, or disclosure.\n\nGPO Information Technology and Systems (IT&S) management has implemented a process for\ncentrally managing patching for Microsoft Windows servers using Microsoft Windows Server\nUpdate Services (WSUS). GPO\xe2\x80\x99s first priority was to implement the patch management process\nfor these servers. However, GPO has not yet created standard operating procedures for\ndesktop/laptop patch management and has not yet expanded its centralized Microsoft Windows\npatch management process to include desktops and laptops.\n\n5. Contingency Planning\n\nThe contingency plan for GPO\xe2\x80\x99s GSS has not been finalized, approved or tested, and is still in\ndraft form. GPO may not be able to successfully recover critical applications and systems to\nmaintain business functions during the event of a service disruption, without an effective\ncontingency plan and testing process in place. Without documented contingency plan test results,\nmanagement may be unaware of any weaknesses in disaster recovery capabilities that could have\nbeen revealed by disaster recovery testing.\nFederal Information Processing Standards (FIPS) Publication 200, Minimum Security\nRequirements for Federal Information and Information Systems, requires organizations to\nauthorize the operation of organizational information systems.\n\nNIST SP 800-53, Revision 3, Recommended Security Controls for Federal Information Systems\nand Organizations, provides more detailed guidance for the security authorization process and\ndirects organizations to:\n\n\xe2\x80\xa2   Develop security plans for information systems that describe the security controls in place or\n    planned for meeting the control requirements from SP 800-53 including rationale for control\n    tailoring and supplementation decisions, and\n\n\xe2\x80\xa2   Assess the planned security controls to determine the extent to which the controls are\n    implemented correctly, operating as intended, and producing the desired outcome and to\n    document the results of the assessment to provide to the authorizing official.\n\nNIST SP 800-53, Revision 3, Recommended Security Controls for Federal Information Systems\nand Organizations, provides guidance for managing access controls and directs organizations to:\n\n\xe2\x80\xa2   Operate procedures for disabling and removing access when users are terminated, transferred,\n    or information system usage or need-to-know/need-to-share changes;\n\n\xe2\x80\xa2   Periodically review accounts;\n\n\xe2\x80\xa2   Implement separation of duties through assigned information system access authorizations;\n    and\n\n\xe2\x80\xa2   Review and analyze information system audit records for indications of inappropriate or\n    unusual activity and report findings to designated organizational officials.\n\x0c                                                                            Exhibit I (continued)\n\n                           Fiscal Year 2011 Significant Deficiencies\n\nNIST SP 800-53, Revision 3, Recommended Security Controls for Federal Information Systems\nand Organizations, states that organizations should remediate vulnerabilities by maintaining a\nprocess to install security patches.\n\nIn addition, NIST SP 800-53, Revision 3, Recommended Security Controls for Federal\nInformation Systems and Organizations, states that organizations should develop contingency\nplans for their information systems that are reviewed and approved by designated officials,\nshould test to determine the plans\xe2\x80\x99 effectiveness, should review the contingency plan test\nresults, and initiate corrective actions.\n\nRecommendations:\nWe recommend that GPO continue to strengthen its IT general and application controls in each of\nthe five identified domains, as follows:\n1. Security Management\n   We recommend that GPO management ensure that:\n\n   a. GPO documents system security plans and risk assessments in detail sufficient to plan\n      system security controls for general support systems and major applications that are\n      equivalent to the NIST SP 800-53 high-impact baseline controls.\n\n   b. Security assessment testing used to support decisions to authorize systems for operation\n      covers all planned system security controls at the point of initial authorization and at least\n      once every three years thereafter, and includes descriptions of the test procedures\n      performed and the results obtained.\n\n   c. The GBIS application is re-authorized to operate.\n\n2. Access Controls\n\nWe recommend that GPO management ensure that:\n\n   a. The sign out process for removing system access from separated personnel is evaluated,\n      revised as necessary, and formally documented to help ensure that system access is\n      removed at the time personnel leave GPO.\n\n   b. A periodic review of users with access to the GPO GSS is implemented.\n\n   c. Procedures for periodically reviewing and recertifying access to GPO systems, including\n      GBIS, are evaluated, revised as necessary, and formally documented to help ensure that\n      access is reviewed on a periodic basis and that the review is documented.\n\n   d. GPO designs and implements a risk-based approach to reviewing application audit log\n      events for GBIS.\n\x0c                                                                          Exhibit I (continued)\n\n                           Fiscal Year 2011 Significant Deficiencies\n\n3. Segregation of Duties\n\nWe recommend that GPO management revise procedures for maintaining segregation of duties\nwithin GBIS so that the procedures include sufficient detail to identify conflicting roles within\nGBIS.\n\n4. Configuration Management\n\nWe recommend that GPO management ensure that:\n\n    a. IT&S completes the development of centrally managed desktop and laptop patch\n       management procedures to help ensure that security patches are deployed to desktop and\n       laptop computers in a timely manner.\n\n    b. IT&S documents standard operating procedures for desktop and laptop patch\n       management.\n\n5. Contingency Planning\nWe recommend that GPO management:\n\n    a. Finalize and approve the contingency plan for GPO\xe2\x80\x99s GSS.\n\n    b. Periodically perform contingency plan testing, document the test plans and results, and\n       take appropriate corrective action based on the results, if necessary, for GPO\xe2\x80\x99s GSS.\n\nManagement Response:\n\nManagement concurs with these recommendations and is in the process of implementing a\ncorrective action plan.\n\x0c                                                                                               Exhibit II\n\n                                  Status of Prior Year Findings\n\n\n\n                                                                                          Status as of\n    Prior Year                                 Prior Year\n                                                                                         September 30,\n    Condition                              Recommendation\n                                                                                             2011\n\n                                           Significant Deficiencies\n\nA. Controls over     We recommended that GPO strengthen its internal control           Closed\n   Preparation,      over the preparation, review and approval of special journal\n   Review, and       entries by :\n   Approval of       1. Requiring that GPO personnel responsible for preparing an\n   Special Journal       entry (1) gather the necessary facts and supporting\n   Entries               documentation to fully understand the entry that they are\n                         preparing; and (2) perform a self-review over the entry\n                         prior to submitting it for approval to ensure that the proper\n                         accounts, cost codes, function codes, and amounts are used\n                         for the journal entries.\n\n                     2. Developing standard operating procedures documenting\n                         the requirements and instructions for supervisors\n                         reviewing journal entries including: (1) which supervisors\n                         are qualified to review certain types of special journal\n                         entries that impact certain areas (i.e., for all entries that\n                         impact fixed assets, the Chief of Property and Accounting\n                         must approve); (2) what information should be verified\n                         before the entry can be approved; and (3) the type of\n                         documentation that is considered to be sufficient to\n                         support/justify the basis for the entry.\nB. Controls over     We recommended that GPO strengthen its controls over the            Significant\n   Processing and    processing and maintenance of human resource and payroll            Deficiency\n   Maintenance of    information as follows:                                             This finding has\n   Human             1. Improve controls within the Human Capital Office and the         been partially\n   Resource Data         Finance Department to ensure that only employees who            repeated in FY\n                         are eligible to participate in GPO\xe2\x80\x99s annual goal sharing        2011; see\n                         program pursuant to GPO Directive 665.22 receive annual         Exhibit I.\n                         goal sharing payments.\n\n                     2. Improve its internal controls to ensure that GPO payment\n                        plan information reflected on the SF-50s maintained in\n                        employee personnel files are accurate; and employee\n                        service dates reflected in WebTA agree with employee\n                        service dates reflected in NFC records and the SF-52\n                        maintained in the employee\xe2\x80\x99s personnel file.\n\n                     3. Develop Standard Operating Procedures detailing how to\n                        correctly enter leave adjustments in the WebTA system\n                        and the NFC mainframe.\n\n.\n\x0c                                                                                              Exhibit II\n\n                                   Status of Prior Year Findings\n\n\n\n                                                                                         Status as of\n    Prior Year                                 Prior Year\n                                                                                        September 30,\n    Condition                               Recommendation\n                                                                                            2011\n\n                      4. Develop a report based on information from NFC that can\n                         be run bi-weekly that will identify any change made to an\n                         employee\xe2\x80\x99s record subsequent to the initial interface with\n                         NFC.\n\n                    5. Implement a control where payroll personnel reconcile the\n                        annual leave balances per WebTA to NFC ensuring that\n                        the proper numbers of hours are being accrued per pay\n                        period and that the annual leave balance is correct.\nC. Information Technology General and Application Controls\n\n1. Security           We recommended that GPO management document its system            Significant\n   Management         security plans in detail sufficient to plan system security       Deficiency\n                      controls for general support systems and major applications       This finding has\n                      that are identical or equivalent to the applicable NIST SP 800-   been partially\n                      53 baseline controls. In addition, we recommended the             repeated in FY\n                      following:                                                        2011; see\n                                                                                        Exhibit I.\n                      a. GPO management document its risk assessments and\n                         considers a full range of significant risks to be consistent\n                         with risk assessment requirements from NIST SP 800-30.\n                         Also, we recommended that when creating a security\n                         authorization package, GPO document procedures\n                         performed and results obtained for security assessment\n                         testing of all planned IT security controls. Additionally,\n                         we recommended that GPO update the security\n                         authorization package for the GSS and, after planning and\n                         successfully testing the necessary IT security controls, re-\n                         authorizes it for operation.\n                      b. GPO management document and implement procedures to\n                         identify all personnel with significant information security\n                         responsibilities and ensure that they receive periodic role-\n                         based IT security training.\n                      c. GPO request that Oracle amend the scope of the SAS-70\n                         report for Oracle On-Demand to include the Federal Zone\n                         where the servers for GBIS are hosted.\n2. Access Controls    We recommended that GPO management:                               Significant\n                                                                                        Deficiency\n                      a. Evaluate, revise as necessary, and formally document\n                                                                                        This finding has\n                         procedures for approving access to the GSS and GBIS to\n                                                                                        been partially\n                         help ensure that approvals are documented prior to\n                                                                                        repeated in FY\n                         granting users access.\n                                                                                        2011; see\n.\n\x0c                                                                                            Exhibit II\n\n                                 Status of Prior Year Findings\n\n\n\n                    b. Ensure that controls for removing system access from           Exhibit I.\n                       separated contractors, including the periodic contractor\n                       network access review and setting contractor network user\n                       accounts to expire, are consistently operated for all\n                       contractors with access to GPO\xe2\x80\x99s network.\n\n                    c. Evaluate, revise as necessary and formally document\n                       procedures for periodically reviewing and recertifying\n                       access to GPO systems to help ensure that access that\n                       users do not need is removed timely.\n\n                    d. Restrict access to applications and systems, including the\n                       GBIS rate maintenance responsibility, to personnel based\n                       on defined roles and responsibilities. Access should be\n                       removed from user access accounts that do not require\n                       such access.\n\n                    e. Enhance its policies and procedures over password\n                       settings. With the exception of system service accounts,\n                       management should ensure that password expiration\n                       settings are applied to all users\xe2\x80\x99 network accounts.\n\n                    f.   Design and implement a risk-based approach to reviewing\n                         application audit log events for GBIS.\n\n                    g. Consistently perform and document a periodic review and\n                       recertification of the data center physical access list. The\n                       review and certification should be performed and\n                       documented, at a minimum, on a quarterly basis.\n3. Segregation of                                                                     Significant\n                    We recommended that GPO management document the\n   Duties                                                                             Deficiency\n                    permissions used within GBIS, identify which permissions\n                                                                                      This finding has\n                    conflict, and ensure that conflicting permissions are not\n                                                                                      been repeated in\n                    assigned to the same user.\n                                                                                      FY 2011; see\n                                                                                      Exhibit I.\n4. Configuration    We recommended that GPO management :                              Significant\n   Management                                                                         Deficiency\n                    a. Take steps to ensure that emergency changes to GBIS are        This finding has\n                       approved and are tested as soon as possible after              been partially\n                       implementation into production.                                repeated in FY\n                                                                                      2011; see\n                                                                                      Exhibit I.\n                    b. Complete the development of centrally managed desktop\n                       and laptop patch management procedures to help ensure\n                       that security patches are deployed to desktop and laptop\n                       computers in a timely manner. We also recommended that\n                       GPO document its standard operating procedures for patch\n.\n\x0c                                                                                   Exhibit II\n\n                             Status of Prior Year Findings\n\n\n\n                    management.\n5. Contingency                                                                Significant\n                 We recommended that management:\n   Planning                                                                   Deficiency\n                 a. Finalize and approve the contingency plan for GPO         This finding has\n                    General Support System Number 1.                          been repeated in\n                 b. Periodically perform contingency plan testing and         FY 2011; see\n                    document the test plans and the results for GPO General   Exhibit I.\n                    Support System Number 1.\n\n\n\n\n.\n\x0c"